The anti-virus company Kaspersky Lab announced the discovery of an unusual instance of a mobile Trojan: the malware dubbed Loapi is unlike any other malware for the platform Android. Due to its modular structure, it contains an extremely wide range of functions and is capable of performing an almost unlimited set of malicious actions on an infected device: from the victim's subscription to paid services to cryptocurrency mining. Antivirus experts have never encountered such multitasking Android Trojans. To date, Kaspersky Lab has recorded over 45,000 attempts to infect with malware.
Loapi spreads through advertising campaigns in which users are redirected to cybercriminals' sites, where they download the malware. Kaspersky Lab experts have counted more than 20 such resources – their domain names for the most part refer to some anti-virus solutions and one very famous porn site. The Trojan itself disguises itself as mobile security solutions and applications for adults. After installation, Loapi asks for administrator rights, and does so very persistently and leaves the user no choice but to agree, and then proceeds to 'work'.
Loapi currently contains the following modules:
- advertising – used for aggressive display of advertising, as well as hidden promotion of sites and accounts on social networks;
- SMS – used to perform various operations with text messages, in particular, sending SMS to attackers, deleting incoming and outgoing messages, etc.;
- web crawler – serves to issue paid subscriptions to the victim, in which it is helped by an SMS module that hides a message about the activation of the subscription from the user;
- proxy – allows attackers to execute HTTP requests from an infected device, which, among other things, is used to organize DDoS attacks;
- miner – used to mine Monero (XMR) cryptocurrency.
In addition to being able to carry out such a wide range of malicious actions, Loapi also has a self-defense function. For example, the Trojan actively resists revoking administrator rights: if a user attempts to take these rights away from him, the malware blocks the device's screen and closes the settings window. In addition, Loapi receives from the C&C a list of applications that are dangerous for itself, for example, security solutions, and if they are found on the victim's smartphone, it issues a warning about the presence of alleged malware with a proposal to remove it. Curiously, the warning is 'looped': if the user refuses to uninstall the application, the Trojan will display the notification over and over again until the 'correct' choice is made.
While investigating the malware, Kaspersky Lab experts discovered another dangerous feature of Loapi. The traffic generation module and the miner 'loaded' the test smartphone so hard that the device's battery became deformed and increased in size literally after two days of the Trojan's operation.